From 7306934e4bcbac9ac6b9379a0414b2a24e48da99 Mon Sep 17 00:00:00 2001 From: bptato Date: Tue, 30 Sep 2025 17:56:01 +0200 Subject: [PATCH 1/2] Fix leak in JS_NewArrayFrom at OOM If it "takes ownership of |values|", it must also free them on exception. --- quickjs.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/quickjs.c b/quickjs.c index f93fcbef0..18c30f513 100644 --- a/quickjs.c +++ b/quickjs.c @@ -5161,21 +5161,26 @@ JSValue JS_NewArrayFrom(JSContext *ctx, int count, const JSValue *values) { JSObject *p; JSValue obj; + int i; obj = JS_NewArray(ctx); if (JS_IsException(obj)) - return JS_EXCEPTION; + goto exception; if (count > 0) { p = JS_VALUE_GET_OBJ(obj); if (expand_fast_array(ctx, p, count)) { JS_FreeValue(ctx, obj); - return JS_EXCEPTION; + goto exception; } p->u.array.count = count; p->prop[0].u.value = js_int32(count); memcpy(p->u.array.u.values, values, count * sizeof(*values)); } return obj; +exception: + for (i = 0; i < count; i++) + JS_FreeValue(ctx, values[i]); + return JS_EXCEPTION; } JSValue JS_NewObject(JSContext *ctx) From cff46045dd407049feed780cc89a2f286918741f Mon Sep 17 00:00:00 2001 From: bptato Date: Tue, 30 Sep 2025 18:17:34 +0200 Subject: [PATCH 2/2] Avoid double-free --- quickjs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/quickjs.c b/quickjs.c index 18c30f513..df90ef562 100644 --- a/quickjs.c +++ b/quickjs.c @@ -16580,9 +16580,9 @@ static JSValue JS_CallInternal(JSContext *caller_ctx, JSValueConst func_obj, pc += 2; call_argv = sp - call_argc; ret_val = JS_NewArrayFrom(ctx, call_argc, call_argv); + sp -= call_argc; if (unlikely(JS_IsException(ret_val))) goto exception; - sp -= call_argc; *sp++ = ret_val; } BREAK;